Hacker's ad for a Yahoo email-stealing exploit, up for sale at $700

Brian Krebs has located and published a sales pitch from a hacker who has found a zero-day exploit allowing him to steal cookies from Yahoo webmail users, granting access to their accounts.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Yes. This is the sort of trick that you would use in a phishing expedition, whereby the attacker might only expect 1% of the 1,000,000 people he emailed to click on the link. A career criminal could easily turn a profit from the initial investment.

It’s a good trick to employ as the attacker does not need to forge the login page of the affected site; in fact the browser will likely log the user straight into the account if a cookie is active from a previous session. This can be observed in the video.